This is an automated email from the ASF dual-hosted git repository.
alamb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/main by this push:
new 1a721a4424 Document Security Policy (#9730)
1a721a4424 is described below
commit 1a721a442435f8de0b6d3d97a5348fe3fe2e13b4
Author: Andrew Lamb <[email protected]>
AuthorDate: Fri Apr 24 18:42:23 2026 -0400
Document Security Policy (#9730)
# Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax.
-->
- Closes https://github.com/apache/arrow-rs/issues/9727
# Rationale for this change
Other arrow subprojects (C++ in particular) has been beset recently by a
deluge of low quality bug reports masquerading as security problems.
To reduce this flow and make it easier to direct people to the
appropriate bug vs feature venue, we should document our security
posture better
# What changes are included in this PR?
1. Add SECURITY.md
2. Clarify what is a bug vs a security issue
3. Sprinkle links to SECURITY around
# Are these changes tested?
By CI
# Are there any user-facing changes?
yes, new policyt
---------
Co-authored-by: Ed Seidl <[email protected]>
---
README.md | 3 +-
SECURITY.md | 83 ++++++++++++++++++++++++++++++++++++++++++++++++
arrow-avro/README.md | 6 ++--
arrow-csv/README.md | 33 +++++++++++++++++++
arrow-flight/README.md | 5 +++
arrow-ipc/README.md | 34 ++++++++++++++++++++
arrow-json/README.md | 33 +++++++++++++++++++
arrow/README.md | 19 +++++++++++
arrow/src/lib.rs | 32 +++++++++++++++----
parquet/README.md | 6 ++++
parquet_derive/README.md | 8 ++++-
11 files changed, 252 insertions(+), 10 deletions(-)
diff --git a/README.md b/README.md
index 70f2f158e2..0735dae57c 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@ This is a great place to meet other contributors and get
guidance on where to co
However, all technical designs should also be recorded and formalized in
GitHub issues, so that they are accessible to everyone.
In Slack, find us in the `#arrow-rust` channel and feel free to ask for an
invite via Discord, GitHub issues, or other means.
-There is more information in the [contributing] guide.
+There is more information in the [contributing] guide and the [security]
policy.
## Repository Structure
@@ -186,3 +186,4 @@ You can find more details about each crate in their
respective READMEs.
[issues]: https://github.com/apache/arrow-rs/issues
[pull requests]: https://github.com/apache/arrow-rs/pulls
[discussions]: https://github.com/apache/arrow-rs/discussions
+[security]: SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..d10bbb0a24
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,83 @@
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# Security Policy
+
+This document outlines the security model for the Rust implementation of
Apache Arrow (`arrow-rs`) and how to report vulnerabilities.
+
+## Security Model
+
+The `arrow-rs` project follows the [Apache Arrow Security Model]. In
particular:
+
+- Reading data from untrusted sources (e.g., over a network or from a file)
requires explicit validation.
+- Failure to validate untrusted data before use may lead to security issues.
+
+This implementation provides APIs such as [`ArrayData::validate_full`] to
+validate that Arrow data conforms to the specification.
+
+Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+malformed input is generally considered a **bug**, not a security
+vulnerability, unless it is **exploitable** and could allow an attacker to
+
+* Execute arbitrary code (Remote Code Execution);
+* Exfiltrate sensitive information from process memory (Information
Disclosure);
+
+If that exploitation path is unclear, the issue should likely be reported as a
+bug.
+
+## Rust Safety, Soundness, and Undefined Behavior
+
+Rust has a very [specific definition of unsafe]. When unsafe behavior results
+from using safe code, the code is unsound and can lead to undefined behavior
+(UB), which may be exploitable.
+
+However, not all soundness issues are exploitable. In general, issues that
+result in undefined behavior using safe APIs are considered bugs unless they
+meet the exploitability bar defined above.
+
+We therefore avoid classifying all unsoundness bugs as security
+vulnerabilities (e.g. filing [RUSTSEC] and/or [CVE] advisories), which helps
+avoid unnecessary downstream churn and keeps our focus on the most critical
issues.
+
+[specific definition of unsafe]:
https://doc.rust-lang.org/book/ch20-01-unsafe-rust.html
+[rustsec]: https://rustsec.org/
+[cve]: https://cve.mitre.org/
+
+## Reporting a Bug
+
+We treat all bugs seriously and welcome help fixing them. If you find a bug
+that does not meet the criteria for a security vulnerability, please report it
+in the public issue tracker.
+
+## Reporting a Vulnerability
+
+For security vulnerabilities, please follow the responsible disclosure process
+below so we can investigate and fix the issue before it is exploited in the
+wild.
+
+**Do not file a public issue.** Follow the [ASF security reporting process] by
emailing [[email protected]](mailto:[email protected]).
+
+Include in your report:
+- A clear description and minimal reproducer.
+- Affected crates and versions.
+- Potential impact.
+
+[Apache Arrow Security Model]:
https://arrow.apache.org/docs/dev/format/Security.html
+[`ArrayData::validate_full`]:
https://docs.rs/arrow/latest/arrow/array/struct.ArrayData.html#method.validate_full
+[ASF security reporting process]:
https://www.apache.org/security/#reporting-a-vulnerability
diff --git a/arrow-avro/README.md b/arrow-avro/README.md
index c5776c125b..dbc1e1760e 100644
--- a/arrow-avro/README.md
+++ b/arrow-avro/README.md
@@ -212,9 +212,11 @@ async fn main() -> anyhow::Result<()> {
* **Confluent Schema Registry wire format**: 1‑byte magic `0x00` + 4‑byte BE
schema ID + Avro body; supports decode + encode helpers.
* **Avro Single‑Object Encoding (SOE)**: 2‑byte magic `0xC3 0x01` + 8‑byte LE
CRC‑64‑AVRO fingerprint + Avro body; supports decode + encode helpers.
----
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
-## Examples
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
* Read/write OCF in memory and from files (see crate docs “OCF round‑trip”).
* Confluent wire‑format and SOE quickstarts are provided as runnable snippets
in docs.
diff --git a/arrow-csv/README.md b/arrow-csv/README.md
new file mode 100644
index 0000000000..bd1f5c9787
--- /dev/null
+++ b/arrow-csv/README.md
@@ -0,0 +1,33 @@
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# `arrow-csv`
+
+Support for reading and writing CSV files to and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-csv/latest
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
diff --git a/arrow-flight/README.md b/arrow-flight/README.md
index 1cd8f5cfe2..49bf5a12b0 100644
--- a/arrow-flight/README.md
+++ b/arrow-flight/README.md
@@ -81,4 +81,9 @@ $ flight_sql_client --host example.com statement-query
"SELECT 1;"
+----------+
```
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
[apache arrow flightsql]: https://arrow.apache.org/docs/format/FlightSql.html
+[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
diff --git a/arrow-ipc/README.md b/arrow-ipc/README.md
new file mode 100644
index 0000000000..6b60ec2ba2
--- /dev/null
+++ b/arrow-ipc/README.md
@@ -0,0 +1,34 @@
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# `arrow-ipc`
+
+Support for reading and writing files and streams in the [Arrow IPC Format] to
and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[Arrow IPC Format]:
https://arrow.apache.org/docs/format/Columnar.html#format-ipc
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-ipc/latest
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
diff --git a/arrow-json/README.md b/arrow-json/README.md
new file mode 100644
index 0000000000..4057fd84c5
--- /dev/null
+++ b/arrow-json/README.md
@@ -0,0 +1,33 @@
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+# `arrow-json`
+
+Support for reading and writing JSON to and from [Apache Arrow].
+
+See the [main repository README] and the [API documentation] for more details.
+
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
+[Apache Arrow]: https://arrow.apache.org/
+[main repository README]: https://github.com/apache/arrow-rs
+[API documentation]: https://docs.rs/arrow-json/latest
+[Security Policy]: ../SECURITY.md
diff --git a/arrow/README.md b/arrow/README.md
index 7c55932d2f..4c08455365 100644
--- a/arrow/README.md
+++ b/arrow/README.md
@@ -76,6 +76,25 @@ The `arrow` crate provides the following features which may
be enabled in your `
The [Apache Arrow Status](https://arrow.apache.org/docs/status.html) page
lists which features of Arrow this crate supports.
+
+## Security
+
+`arrow-rs` follows the [Apache Arrow Security Model].
+
+Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+malformed input, and instances of undefined behavior (UB) triggered via safe
+APIs are considered bugs rather than security vulnerabilities unless they are
exploitable
+by an attacker to
+
+* Execute arbitrary code (Remote Code Execution);
+* Exfiltrate sensitive information from process memory (Information
Disclosure);
+
+We welcome your help in fixing such bugs and security issues. See our
+[Security Policy] for reporting.
+
+[Apache Arrow Security Model]:
https://arrow.apache.org/docs/dev/format/Security.html
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
## Safety
Arrow seeks to uphold the Rust Soundness Pledge as articulated eloquently
[here](https://raphlinus.github.io/rust/2020/01/18/soundness-pledge.html).
Specifically:
diff --git a/arrow/src/lib.rs b/arrow/src/lib.rs
index f9b0c717f0..48ab42e84c 100644
--- a/arrow/src/lib.rs
+++ b/arrow/src/lib.rs
@@ -335,14 +335,34 @@
//! * [`parquet`](https://docs.rs/parquet) - support for [Apache Parquet]
//! * [`arrow-avro`](https://docs.rs/arrow-avro) - support for [Apache Avro]
//!
-//! # Safety and Security
+//! # Security
//!
-//! Like many crates, this crate makes use of unsafe where prudent. However,
it endeavours to be
-//! sound. Specifically, **it should not be possible to trigger undefined
behaviour using safe APIs.**
+//! This project follows the [Apache Arrow Security Model].
//!
-//! If you think you have found an instance where this is possible, please file
-//! a ticket in our [issue tracker] and it will be triaged and fixed. For more
information on
-//! arrow's use of unsafe, see
[here](https://github.com/apache/arrow-rs/tree/main/arrow#safety).
+//! Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by
+//! malformed input is considered a **bug**, not a security vulnerability,
+//! unless it is **exploitable** by an attacker to
+//!
+//! * Execute arbitrary code (Remote Code Execution);
+//! * Exfiltrate sensitive information from process memory (Information
Disclosure);
+//!
+//! If you think you have found a security vulnerability, please follow the
+//! reporting instructions in the [security policy].
+//!
+//! [security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+//!
+//! # Safety
+//!
+//! Like many crates, this crate makes use of `unsafe` where prudent. However,
it endeavors to be
+//! sound. Specifically, **it should not be possible to trigger undefined
behavior using safe APIs.**
+//!
+//! Undefined behavior using safe APIs is considered a bug, not a security
+//! vulnerability, unless it can be exploited. Please see the [security policy]
+//! for details.
+//!
+//! For more information on the use of `unsafe`, see
[here](https://github.com/apache/arrow-rs/tree/main/arrow#safety).
+//!
+//! [Apache Arrow Security Model]:
https://arrow.apache.org/docs/dev/format/Security.html
//!
//! # Higher-level Processing
//!
diff --git a/parquet/README.md b/parquet/README.md
index 9e4e91d85d..8fb48856fe 100644
--- a/parquet/README.md
+++ b/parquet/README.md
@@ -79,6 +79,12 @@ information on the status of this implementation.
[implementation status page]:
https://parquet.apache.org/docs/file-format/implementationstatus/
[apache parquet]: https://parquet.apache.org/
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
+[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
## License
Licensed under the Apache License, Version 2.0:
<http://www.apache.org/licenses/LICENSE-2.0>.
diff --git a/parquet_derive/README.md b/parquet_derive/README.md
index 783c71abd5..6423fa5a51 100644
--- a/parquet_derive/README.md
+++ b/parquet_derive/README.md
@@ -144,6 +144,12 @@ To compile and test doctests, run `cargo test --doc --
--show-output`
To build documentation, run `cargo doc --no-deps`.
To compile and view in the browser, run `cargo doc --no-deps --open`.
+## Security
+
+See the [Security Policy] for information on the security model and how to
report vulnerabilities.
+
+[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md
+
## License
-Licensed under the Apache License, Version 2.0:
http://www.apache.org/licenses/LICENSE-2.0.
\ No newline at end of file
+Licensed under the Apache License, Version 2.0:
http://www.apache.org/licenses/LICENSE-2.0.
